It’s the second Tuesday of the month, which means Adobe and Microsoft (and others) have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Microsoft and Adobe. If you’d rather watch the video recap, check out the Patch Report webcast on our
YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for April 2023
For April, Adobe released six bulletins addressing 56 CVEs in Acrobat and Reader, Adobe Digital Editions, InCopy, Substance 3D Designer, Substance 3D Stager, and Adobe Dimension. A total of 47 of these CVEs were reported by ZDI vulnerability researchers Mat Powell and Michael DePlante. The update for
Reader is likely the most important. It corrects 16 different CVEs, and 14 of these could lead to arbitrary code execution if a threat actor can get a user to open a specially crafted PDF with an affected version of Reader. This update also includes four CVEs from Abdul-Aziz Hariri of Haboob SA that were a part of his successful
demonstration at the recent Pwn2Own Vancouver.
The patch for Adobe
Digital Edition corrects a single Critical-rated code execution bug. The fix for
InCopy also addresses a lone Critical-rated code execution issue. The other updates are noticeably larger. The update for
Substance 3D Designer addresses nine bugs, all of which are rated Critical. The fix for
Substance 3D Stager corrects 14 vulnerabilities, 10 of which are rated Critical and could lead to arbitrary code execution. The final patch from Adobe covers
Adobe Dimension and corrects 15 unique bugs. A total of 14 of these bugs could lead to arbitrary code execution with the other being a memory leak.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Apple Patches for April 2023
Apple had a couple of CVEs patched last week and yesterday covering two bugs under active attack. CVE-2023-28205 is a UAF in WebKit and can be found in Safari, macOS, and iOS. It can lead to code execution at the level of the logged-on user. It would need to be paired with a privilege escalation to take over a system. The second bug patched by Apple does just that. CVE-2023-28206 is a privilege escalation in the IOSurfaceAccelerator component in macOS and iOS. Apple doesn’t expressly state these were used in conjunction, but they were reported by the same researchers at the same time, so their combined use makes sense.
Microsoft Patches for April 2023
This month, Microsoft released 97 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Windows Defender; SharePoint Server; Windows Hyper-V; PostScript Printer; and Microsoft Dynamics. This is in addition to three Edge (Chromium-based) CVEs previously released and being documented today. That brings today’s total CVE count to an even 100. Six of these bugs came were submitted through the ZDI program.
Of the patches released today, seven are rated Critical and 90 are rated Important in severity. While this volume does seem to be in line with past years, the number of remote code execution (RCE) bugs makes up nearly half the release. It’s unusual to see that many RCE fixes in a single month. Also, note that none of the bugs disclosed over Teams during Pwn2Own Vancouver are being addressed by Microsoft this month.
One of the new CVEs is listed as under active attack at the time of release.
www.zerodayinitiative.com
